b'                         UNITED STATES NUCLEAR REGULATORY COMMISSION\n\n                                                                              NUREG/BR-0304\n                                                                              Volume 2, Number 2\n                                                                              September 2004\n\n\n\n\n                 OIG Information Digest\n                               Management and Internal Controls\n                               Management Con-             structure and an or-         prevent employees\n                               trols: Business             ganization\xe2\x80\x99s policies        from misappropriating\n                               and Personal                and procedures -- as         them, and payroll con-\n                                                           tools to help program        trols to ensure that only\n      Inside this              Needs                       and financial managers       bonafide employees or\n        issue:                                             achieve results                        contractors re-\n                               What are management         and safeguard the\n  Management and         1-3                                                                      ceive payment.\n                               controls? Are they for      integrity of their\n  Internal Controls                                                                               But, manage-\n                               accountants and finan-      programs. On a                         ment controls\n                               cial organizations only?    personal level,                        also include a\n  Computer Security      3-5   Why do I need them?         management con-                        programmatic\n                               Why does NRC need           trols are tools to                     aspect. In\n                               them? Who needs             protect us from                        other words,\n                               management controls?        personal or finan-\n  When Good Credit       5                                                                        controls are\n  Card Cops Go Bad                                         cial harm. Manage-           needed to ensure that\n                               You may not realize it,     ment controls are the        a program is function-\n                               but management con-         proverbial barn door         ing as management in-\n                               trols are vital to almost   that we want to close.       tends. Let\xe2\x80\x99s examine\n                               all the important func-\n                                                                                        one or two NRC func-\n                               tions we carry out in       Are management               tions to see how man-\n                               our professional and        controls for account-        agement controls keep\n                               personal lives. They        ants and financial or-       a program or activity\n                               help us to maintain or-     ganizations only?            on track.\n Special points of             der and control, and        Absolutely not! Many\n    interest:                  most importantly they       people                       NRC has many techni-\n                               protect us from harm        think of\n\xc2\xb7 Are You a Safe Cyber                                                                  cal review processes\n  Surfer?                      and give us a measure       manage-                      for all areas of its regu-\n                               of confidence that our      ment con-                    latory activities. For\n\xc2\xb7 Spyware Problems             business and personal       trols as                     example, one such ac-\n                               activities meet our ex-     something\n\xc2\xb7 Visa/Mastercard Scam                                                                  tivity is the review\n                               pectations.                 needed                       process for reactor\n                                                           only to pre-                 technical specifica-\n                               What are manage-            vent finan-                  tions. To properly re-\n                               ment controls? The          cial harm to an organi-      view any set of techni-\n                               Office of Management        zation. For example, a       cal specifications, the\n                               and Budget defines          company needs con-           agency needs a pro-\n                               management con-             trols over its assets to     cess (management\n                               trols -- organizational\n\x0c                 Page 2                                                               OIG Information Digest\n\n\n\n\nManagement and Internal Controls                     (Cont. from page 1)\n\n\ncontrol) to ensure that the ap-      deactivate the alarm. The code        side, we use them to ensure that\npropriate organizations review       is the control. Imagine what          financial assets are protected\nand approve the specifications.      could happen if we did not safe-      and that programs are imple-\nAnother example of manage-           guard our passwords or alarm          mented as intended. On the\nment control is the document         codes. In order to ensure that        personal side, controls protect\nconcurrence process. This            our checking account is not           us from personal and financial\nprocess is designed to ensure        overdrawn, we should maintain         harm. Inadequate controls may\nthat all parties to a document       a running balance. The running        ultimately spell disaster for any\nconcur on its content. From an       balance is the control. The finan-    business or individual.\ninvestigative point of view, man-    cial consequences of overdraw-\nagement controls or rules are        ing an account can be substan-        Audit Summaries\nenforced to ensure that no civil     tial.\nor criminal law is broken and                                              NRC\xe2\x80\x99s Personnel Security Pro-\nthere is no monetary loss to the     Who needs management con-             gram\nGovernment. Every facet of           trols? Everyone and every or-\nNRC operations needs manage-         ganization needs management           OIG found that personal security\nment controls.                       controls in one form or another.      program weaknesses pertaining\n                                     Even the most seemingly               to contractor access to NRC fa-\nWhy does NRC need them?              unlikely entities need controls.      cilities could be placing the\nThey serve to ensure the integ-                                            agency\xe2\x80\x99s information, facilities,\nrity and efficiency of the agency,   In 1988, TIME magazine ran a          and staff at risk. Specifically,\nprotect the health and safety of     story about how a Federal Bu-         program requirements were not\nthe public, and prevent fraud,       reau of Investigation agent infil-    consistently followed and the\nwaste, and abuse within agency       trated an organized crime family      agency lacked a process for ex-\nprograms.                            and was ultimately instrumental       peditiously resolving final access\n                                     in gaining more than 100 Fed-         decisions for IT\nWhy do I need them? In our           eral convictions of organized         contractors\npersonal lives, management           crime members. The article ex-        with temporary\ncontrols could simply be referred    plained how the agent stayed          access when\nto as controls. These controls       undercover for several years,         issues arose in\nsafeguard and protect us. Let\xe2\x80\x99s      despite reservations from sev-        OPM back-\nlook at a few examples.              eral criminal associates. Ac-         ground investi-\n                                     cording to the article, the direc-    gations. Program lapses oc-\nBefore we can                        tor of the New York State Or-         curred because managers had\nset up an ATM                        ganized Crime Task Force              not effectively documented or\naccount, we                          stated, "The Mob, which once          communicated contractor secu-\nestablish a                          ran thorough security checks on       rity policies to NRC staff ex-\npassword to                          any stranger, simply lacked the       pected to carry out these poli-\nprevent unau-                        \xe2\x80\x98discipline and internal controls\xe2\x80\x99    cies. As a result, some contrac-\nthorized per-                        to unmask the agent...."              tors were inappropriately given\nsons from with-                                                            access to NRC facilities and\ndrawing money from our ac-           Summary - Management con-             data, potentially jeopardizing\ncount. The password is the con-      trols bring order, discipline, and    agency employees and informa-\ntrol. An alarm system for a          protection to organizations and       tion.\nhome has a code to activate and      individuals. On the business\n\x0c                                                                                                          Page 3\n\n\n\n\nManagement and Internal Controls                      (Cont. from page 2)\n\n\nComputer Security Reviews             bills may also be reviewed for in-    downloaded information from\n                                      appropriate use. Based on such        such sites onto their NRC com-\nThe security reviews found that       information, OIG determined that      puter. Thus, while it is likely that\nthe controls implemented by the       an NRC employee in-                   the software effectively prevents\nregions are generally effective in curred $43,000 in pager                  some individuals from accessing\nreducing the risks associated with charges for usage not re-                prohibited sites, it cannot entirely\ntheir operations. However, sev-       lated to his official duties.         prevent such activity.\neral areas needed improvement.\nThese areas included administra- In other cases, individu-\ntive security controls, information als manipulate or undermine ex-\n                                                                            Computer Security\ntechnology controls, and physical isting controls to try to hide illegal\nsecurity.                             activities. For example, in 2001,\n                                      OIG determined that NRC\xe2\x80\x99s park-       Are you a safe cyber-\nManagement Controls Can               ing garage contractor had stolen      surfer?\nFacilitate OIG Investigations         $1,713 in visi-\n                                      tor parking                           When using your computer at\nManagement controls are a factor fees from                                  home to make a purchase online,\nin virtually all OIG investigations \xe2\x80\x93 NRC by issu-                          do your banking, pay bills over the\nin some cases, this is because        ing two types                         Internet, check in with your office\nillegal or inappropriate activity is  of receipts to                        by e-mail, or just surf the Web for\ntraceable through the review of       patrons. One type of receipt was      fun, you open a gateway to the\nofficial records, which are a form legitimate; duplicates of these          personal information on your com-\nof management control. For ex-        were kept to record customer          puter, including credit\nample, OIG criminal investigators, payments owed to NRC. The                card numbers, bank\nin furtherance of their official du-  other receipts, however, were not     balances, and more.\nties, may review employees\xe2\x80\x99 Gov- legitimate. These unofficial re-           You may also be in for\nernment-issued credit card bills to ceipts were given to patrons, but       costly computer repairs\nidentify suspected inappropriate      copies were not maintained and        and lost data, due to\ncharges when suspicions about         payments recorded on them were        damaging computer viruses that\ninappropriate use are brought to      not reported to NRC.                  can invade your computer through\nthe attention of the OIG. Over                                              e-mail connections.\nthe past 2 years, through such        In a third scenario, prohibited be-\ninvestigations, OIG identified six    havior can occur despite the exis-    Fortunately, there are steps you\nemployees who used their Gov-         tence of management controls          can take to protect your personal\nernment-issued                        intended to prevent                    computer, your information, and\ncredit card for non-                  such activities. For                   your peace of mind from com-\nwork related pur-                     example, although                      puter hackers who try to slow\nchases. While                         the agency uses                        down network operations or,\nmost of these em-                     software that re-                      worse yet, steal personal infor-\nployees either paid                   stricts employee                       mation to commit a crime. Here\nfor or intended to pay for these      access to porno-                       are some helpful tips from the\ncharges, personal use of the          graphic and other                      security experts at the Federal\nGovernment credit card is prohib- Web sites, OIG has                         Trade Commission (FTC).\nited by NRC policy. In a like         substantiated that at least 11 em-\nmanner, cell phone and pager          ployees have, over the past year,\n\x0c                  Page 4                                                                                  OIG Information Digest\n\n\n\n\nComputer Security             (Con t. from p a g e 3)\n\n\n\n\nSome of these tips are well known                       certain Web site, creative little      Adware is any software applica-\nby computer users, but they are                         banners or characters jump             tion in which advertising banners\nalways useful reminders.                                across your screen telling you         are displayed while a program is\n                                                        you\xe2\x80\x99ve won a prize? Or, they           running. The authors of these\n\xc2\xb7   Make sure your passwords                            might suggest                          applications include an addi-\n    have both letters and numbers                       that to make                           tional code that delivers the ads,\n    and are at least eight charac-                      your program                           which can be viewed through\n    ters long.                                          run faster you                         pop-up windows or through a\n                                                        should click on                        bar that appears on a computer\n\xc2\xb7   Install anti-virus software, par-                   this button?                           screen.\n    ticularly the kind that updates                     Well, don\xe2\x80\x99t be\n    automatically.                                      fooled by these                        Spyware and adware quietly and\n                                                        cute little advertisements because     secretly capture\n\xc2\xb7   Prevent unauthorized access                         they just may be what are called       everything you do\n    to your computer through fire-                      spyware or adware.                     online. Unlike the\n    wall software or hardware es-                                                              instant impact of a\n    pecially if you are a high                          Spyware is software that aids in       virus, spyware and\n    speed user. A properly config-                      gathering information about a per-     adware programs\n    ured firewall makes it tougher                      son or organization without their      never reveal their\n    for hackers to locate your                          knowledge and consent and              presence on your personal com-\n    computers. Some firewalls                           which may send that information        puter.\n    block outgoing information as                       to another entity. It has reportedly\n    well as incoming files. That                        caused 50 percent of all crashes       Spyware can seriously interfere\n    stops hackers from planting                         on computers using Microsoft sys-      with your computer operations\n    programs called spyware that                        tems. Spyware can                      and compromise your privacy.\n    cause your computer to send                         also assert control                    Spyware makes your computer\'s\n    out your personal information                       over a computer with-                  performance and Internet ac-\n    without your approval.                              out the user\xe2\x80\x99s knowl-                  cess slow to a crawl. Serious in-\n                                                        edge. There are                        fections can lead to a corrupt\n\xc2\xb7   Don\xe2\x80\x99t open a file attached to                       many \xe2\x80\x9cclick-on\xe2\x80\x9d                        hard drive and exposure of pri-\n    an e-mail unless you are ex-                        download tricks that                   vate information, user names,\n    pecting it or know what it con-                     spyware programs use to sneak          and passwords, or, at worst,\n    tains.                                              onto computers, unbeknown to           identity theft. Pop-up ad prob-\n                                                        the user. It is commonly installed     lems, a different homepage that\n\xc2\xb7   Never forward any e-mail                            on your PC as a hidden addition        you can\'t change, and a slower\n    warning about a new virus. It                       to a legitimate program, by visiting   PC, may be indications of a spy-\n    may be a hoax and could be                          Web sites, or through spam e-          ware problem.\n    used to spread a virus.                             mail. For example, some spy-\n                                                        ware programs use deceptive            A cookie, is a piece of informa-\nSpyware or adware...are they                            pop-up windows so that if a user       tion sent by a Web server to a\nthe same?                                                     clicks on the \xe2\x80\x9cClose Window\xe2\x80\x9d     Web browser that\n                                                              button, that click counts as     the browser is ex-\nHave you noticed, while                                       consent for the software to      pected to save\nyou are surfing the Inter-                                    be installed.                    and send back to\nnet or as you log onto a                                                                       the Web server\n\x0c                                                                                                                    Page 5\n\n\n\n\nComputer Security            (Cont. from page 4)\n\n\nwhenever the browser makes ad-             \xc2\xb7       Be wary of clicking on any          asks for very little\xe2\x80\x93so the word\nditional requests of the Web                       pop-up ad even to close the         \xe2\x80\x9cfraud\xe2\x80\x9d doesn\xe2\x80\x99t enter your mind\nserver. Cookies are another                        window.                             until you get your statement and\nmeans of tracking your surfing                                                         find it filled with charges you\nhabits and can be used by spy-             \xc2\xb7       Install an anti-spyware pro-        don\xe2\x80\x99t recognize.\nware to gather more information                    gram, install a firewall, and en-\nabout you. Delete your cookies                     sure your virus protection is       Where did you go wrong? By\non a regular basis and never open                  up-to-date.                         giving away those three little\nunsolicited e-mail. If you do not                                                      numbers on your\nknow who an e-mail is from, de-            By following these guidelines you           signature strip.\nlete it. Other actions consumers           should be safe from outside enti-           They are your\ncan take:                                  ties collecting private information         unique \xe2\x80\x9ccard\n                                           about you.                                  verification\n\xc2\xb7   Implement new security up-                                                         value,\xe2\x80\x9d and a con\n    grades made available by               When VISA\xe2\x80\x99s Good Cop                        artist who al-\n    your Internet provider.                                                            ready has your\n                                           is a Bad Egg.                               card number can use them to\n\xc2\xb7   Install anti-virus programs and                                                    convince online and phone mer-\n                                           A call from \xe2\x80\x9cSecurity\xe2\x80\x9d can trick you\n    update them regularly.                                                             chants that he actually has your\n                                           into revealing what you shouldn\xe2\x80\x99t.\n                                                                                       card and hasn\xe2\x80\x99t just ripped off\n\xc2\xb7   Install anti-spyware programs                                                      your number.\n                                           You receive a telephone call from\n    to detect or block known spy-\n                                           a person claiming to be from the\n    ware. Some spyware pro-                                                            Officials at VISA and Master-\n                                           Security and Fraud Department at\n    grams are free and can be                                                          Card are well aware of the\n                                           one of the major credit card com-\n    downloaded from the Internet.                                                      scam, which seems to have\n                                           panies stating that your card has\n    Others are available at a                                                          blossomed this past spring. The\n                                           been flagged for an unusual pur-\n    nominal cost. Remember to                                                          giveaway is that the caller is\n                                           chase pattern. They ask, \xe2\x80\x9cDid you\n    update these on a regular ba-                                                      asking for personal data. If you\n                                           purchase six Dell computers at\n    sis.                                                                               ever get such a request, explain\n                                           three different locations in your\n                                                                                       that you don\xe2\x80\x99t discuss your\n                                           area for $3,197.23 each?\xe2\x80\x9d \xe2\x80\x9cNo,\xe2\x80\x9d\n\xc2\xb7   Be careful when browsing on-                                                       credit card over the phone and\n                                           you answer without hesitation.\n    line and make sure you know                                                        say you\xe2\x80\x99ll call back. If the caller\n                                           \xe2\x80\x9cThen we will issue you a credit,\xe2\x80\x9d\n    exactly what a \xe2\x80\x9cfree\xe2\x80\x9d program                                                      is legitmate, he\xe2\x80\x99ll understand.\n                                           the caller says. \xe2\x80\x9cTo verify that\n    will do before downloading or                                                      Then dial the 800 number on\n                                           you\xe2\x80\x99re in possession of your card,\n    installing it.                                                                     your card to see if his story\n                                           please read off the last three num-\n                                                                                       checks out.\n                                           bers that appear on the back.\xe2\x80\x9d\n\xc2\xb7   If asked whether you want to\n                                           You are more than happy to\n    install a program, make sure\n                                           agree. The caller gives you\n    you know who\xe2\x80\x99s distributing it.\n                                           a confirmation number and\n    Before clicking \xe2\x80\x9cyes,\xe2\x80\x9d ask\n                                           encourages you to tele-\n    yourself whether you know\n                                           phone with any questions\n    enough about that company to\n                                           you may have and then\n    trust them.\n                                           hangs up. He never asks\n                                           for your card number\xe2\x80\x93he\n\x0cUnited States Nuclear Regulatory Commission\n\nOffice of the Inspector General\nMail Stop T5D-28\n11545 Rockville Pike                                We\xe2\x80\x99re on the Web!! Log\nMail Stop T 5D28\nRockville, MD 20852                                 onto the NRC Website\n                                                    and click on the links\nPhone: 301-415-5930                                    to the Inspector\nFax: 301-415-5091\nHotline: 800-233-3497                                 General Hotline!\n\n\n\n\n         TDD now available at the Office of the Inspector General.\n         For any complaints of fraud, waste or abuse please dial\n         1-800-207-2787.\n\x0c'